Blizzard Important Security Update

[Fettrix]

Quote:

Players and Friends,

Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here.

We take the security of your personal information very seriously, and we are truly sorry that this has happened.

Sincerely,
Mike Morhaime

Source

[FiShy]

WOW/D3 forums are about to melt haha.

[Bertross]

be great if they actually email us instead of stumbling across this....

pretty poor effort.

[CAPT-Irrelevant]

Quote:

Originally Posted by Bertross

be great if they actually email us instead of stumbling across this....

pretty poor effort.

Not really. With many online game services being phished, such as Blizzard, it's a smart move, in case junkmail filter picks it up as a false positive.

[dogthinker]

Quote:

Originally Posted by CAPT-Irrelevant

Not really. With many online game services being phished, such as Blizzard, it's a smart move, in case junkmail filter picks it up as a false positive.

Eh? Nothing says they can't do both. Posting it on their website *guarantees* that I won't see it. I never visit their website unless I'm looking for something specific. I'm probably in a majority of their users, on that count. Emailing me would at least have had a chance of letting me know, besides word of mouth.

I daresay an email will pop up in a few days, anyway, if this continues to follow the normal pattern of gaming services being hacked.

[CAPT-Irrelevant]

Quote:

Originally Posted by dogthinker

Eh? Nothing says they can't do both. Posting it on their website *guarantees* that I won't see it. I never visit their website unless I'm looking for something specific. I'm probably in a majority of their users, on that count. Emailing me would at least have had a chance of letting me know, besides word of mouth.

I daresay an email will pop up in a few days, anyway, if this continues to follow the normal pattern of gaming services being hacked.

Well, at least they're not pulling off a 'SOE' and notifying everything 7 DAYS AFTER the breach.

[Sorrow]

Quote:

Originally Posted by dogthinker

Eh? Nothing says they can't do both. Posting it on their website *guarantees* that I won't see it. I never visit their website unless I'm looking for something specific. I'm probably in a majority of their users, on that count. Emailing me would at least have had a chance of letting me know, besides word of mouth.

I daresay an email will pop up in a few days, anyway, if this continues to follow the normal pattern of gaming services being hacked.

And if your email address on the account was changed by someone who hacked into the account?

[raze101]

Quote:

Originally Posted by CAPT-Irrelevant

Well, at least they're not pulling off a 'SOE' and notifying everything 7 DAYS AFTER the breach.

No, Only 6 days

http://sea.battle.net/support/en/art...ity-update-faq

The intrusion occurred on the 04/08/12.

[Blackass]

Quote:

This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

Let me read into this.
1) Blizzard security team are not experts because they had to call in security experts to investigate what happened.
2) On the assumption that point 1 is true, there could have been numerous undetected intrusions leading up to this point. Logic dictates if it's been done once it's been done before.
3) If Blizzard has to call in experts to investigate what happened, why should I believe that only non-critical information was accessed. If a person gets access to all information then why wouldn't they take everything?
4) Based on what they know (which is nothing, see point 1) we are to believe that the hacker/whoever didn't have access to ALL of our account information?

This is just PR spin by Blizzard. They are trying to play down what is a fatal flaw in a multi billion dollar company where online capability is their only revenue stream. Blizzard can go f*ck themselves. This sh*t is serious and should not be played down.

[Philll]

Wasn't it only a month or two back where all of those people were desperately trying to convince me of how secure they were?

[BAK]

Quote:

Originally Posted by Blackass

Let me read into this.
1) Blizzard security team are not experts because they had to call in security experts to investigate what happened.
2) On the assumption that point 1 is true, there could have been numerous undetected intrusions leading up to this point. Logic dictates if it's been done once it's been done before.
3) If Blizzard has to call in experts to investigate what happened, why should I believe that only non-critical information was accessed. If a person gets access to all information then why wouldn't they take everything?
4) Based on what they know (which is nothing, see point 1) we are to believe that the hacker/whoever didn't have access to ALL of our account information?

This is just PR spin by Blizzard. They are trying to play down what is a fatal flaw in a multi billion dollar company where online capability is their only revenue stream. Blizzard can go f*ck themselves. This sh*t is serious and should not be played down.

Or, Blizzard take any security breach seriously which results in an external review. I'm pretty happy with the way this has played out. All personal data was encrypted so it's unlikely we'll see too many (if any) accounts compromised as a result of this. Yes they could have notified by email, but I suspect they'll be announcing it on the login screens of their games as well as the social media/website announcements so that's not a big deal.

Security breaches happen, no system is immune. From what I've seen Blizzard have done a reasonable job of minimising the effects, both pro- and re-actively.

[Blackass]

Quote:

Originally Posted by BAK

Or, Blizzard take any security breach seriously which results in an external review. I'm pretty happy with the way this has played out. All personal data was encrypted so it's unlikely we'll see too many (if any) accounts compromised as a result of this. Yes they could have notified by email, but I suspect they'll be announcing it on the login screens of their games as well as the social media/website announcements so that's not a big deal.

Security breaches happen, no system is immune. From what I've seen Blizzard have done a reasonable job of minimising the effects, both pro- and re-actively.

What they should have said:
"We have decided to engage additional security experts to review our security processes to ensure they remain the best in the business, and ensure intrusions remain a very remote possibility in the future".

What they said:
"We dunno wtf happened cos Bobby Kotick cut costs to a point where monkeys are in charge of critical systems. Paying monkeys with banana's is cheaper than employing industry leaders because the bottom line for shareholders is more important than protecting customer privacy. In addition, the Blizzard fanboy's will snuff out any negativity regarding this event. Get an authenticator so we can continue with crap security and monkey's".

[BAK]

Quote:

Originally Posted by Blackass

What they should have said:
"We have decided to engage additional security experts to review our security processes to ensure they remain the best in the business, and ensure intrusions remain a very remote possibility in the future".

What they said:
"We dunno wtf happened cos Bobby Kotick cut costs to a point where monkeys are in charge of critical systems. Paying monkeys with banana's is cheaper than employing industry leaders because the bottom line for shareholders is more important than protecting customer privacy. In addition, the Blizzard fanboy's will snuff out any negativity regarding this event. Get an authenticator so we can continue with crap security and monkey's".

You sound like a calm and reasonable person with an unbiased opinion!

[Blackass]

It's neither biased, nor an opinion, that Blizzard was hacked and personal information was taken. I give companies a pass on crappy content and money making elements even if I don't like it, but when it comes to security and personal information there is no room for anything but 100% protection. If they fail in this responsiblity then they don't get a pass from me.

[atech]

Quote:

Originally Posted by Blackass

Let me read into this.
1) Blizzard security team are not experts because they had to call in security experts to investigate what happened.
2) On the assumption that point 1 is true, there could have been numerous undetected intrusions leading up to this point. Logic dictates if it's been done once it's been done before.
3) If Blizzard has to call in experts to investigate what happened, why should I believe that only non-critical information was accessed. If a person gets access to all information then why wouldn't they take everything?
4) Based on what they know (which is nothing, see point 1) we are to believe that the hacker/whoever didn't have access to ALL of our account information?

This is just PR spin by Blizzard. They are trying to play down what is a fatal flaw in a multi billion dollar company where online capability is their only revenue stream. Blizzard can go f*ck themselves. This sh*t is serious and should not be played down.

Not exactly a fatal flaw, otherwise we would be seeing another Sony job all over again.

It most definitely is serious, and as far as i can tell Blizzard is not playing it down - they have already investigated the issue, provided information to all of its customers as to what has occurred and have provided somewhat of a remediation strategy to follow. As you have said, a multi-billion dollar corporation like Blizzard will definitely look into the attack.

Most likely that Blizzard has some form of SIEM that has picked this breach up (im sure Blizzard would get attacked regularly) - admins would have looked into it and seen the extent of the breach and decided that it would be better to call in some experts to investigate further.